Skip to content

S24.14: CI supply-chain hardening — persist-credentials + SHA-pin remaining actions #477

Description

@DavidCozens

Parent epic: #254 (E24: Code Hygiene)

Deferred from the PR #476 (S28.09) CodeRabbit review (zizmor findings #1, #2). Both are project-wide CI posture, not lwIP-specific, so they're bundled into one workflow-hardening sweep rather than bolted onto a single lane.

Scope

  1. persist-credentials: false on every actions/checkout step whose job later bind-mounts the repo root (..) into a container (the BDD compose lanes — bdd-freertos-qemu-lwip, bdd-freertos-qemu-plustcp, bdd-linux-syslog-ng, etc.). Currently set nowhere, so the checkout .git credential material is mounted into the behave/QEMU containers.

  2. SHA-pin the remaining tag-pinned actions so the whole workflow is zizmor-clean:

    • dorny/test-reporter@v3 (≈13 occurrences)
    • actions/cache@v4
    • uhafner/quality-monitor@v1

    actions/checkout is already SHA-pinned; this finishes the job.

Acceptance

  • zizmor reports no artipacked / unpinned-uses findings on .github/workflows/ci.yml.
  • All lanes still green (the pins are equivalents of the current major-version tags).

Notes

Not a blocker for #476 — the credentials exposure is to first-party CI containers only, and the action tags are the same ones already trusted across all lanes. This is hygiene/defence-in-depth.

Metadata

Metadata

Assignees

No one assigned

    Labels

    storyStory issue

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions